b'           U.S. House of Representatives\n           Committee on Ways and Means\n           Subcommittee on Social Security\n\n\n\n\n               Statement for the Record\n\nHearing on the Direct Deposit of Social Security Benefits\n\n       The Honorable Patrick P. O\xe2\x80\x99Carroll, Jr.\n   Inspector General, Social Security Administration\n\n                  September 12, 2012\n\x0cGood morning, Chairman Johnson, Ranking Member Becerra, and members of the\nSubcommittee. It is a pleasure to appear before you, and I thank you for the invitation to testify\ntoday. I have appeared before Congress many times to discuss issues critical to the Social\nSecurity Administration (SSA) and the services the Agency provides. Today, we are addressing a\ncurrent and serious challenge for the Agency and its beneficiaries: identity thieves\xe2\x80\x99 fraudulent\nredirection of Social Security benefit payments.\nBackground\nSSA certifies payments to Social Security beneficiaries; this certification effectively authorizes\nthe release of such payments. 1 In response, Department of the Treasury issues the payment, by\npaper check or some form of direct deposit. Ninety-four percent of Social Security benefit\npayments and 82 percent of SSI payments are made through direct deposit. Beneficiaries who\nenroll in direct deposit can receive payments through:\n\n       \xe2\x80\xa2   traditional financial institutions, including electronic-transfer accounts,\n       \xe2\x80\xa2   the Treasury\xe2\x80\x99s Direct Express Debit MasterCard Program, or\n       \xe2\x80\xa2   various pre-paid debit cards.\nPursuant to a Federal regulation, on March 1, 2013, the Treasury will require almost all\nbeneficiaries to receive payments through direct deposit, though paper checks will still be\navailable to some beneficiaries under very limited circumstances. SSA thus expects an increase\nin direct deposit-related enrollments from its customers. Direct deposit payments offer a timely,\nconvenient, and secure method for people to receive their federal benefits, instead of cashing a\npaper check; the Treasury has also stated the move to electronic benefit payments would cut\ncosts associated with issuing paper checks. We fully support SSA\xe2\x80\x99s and the Treasury\xe2\x80\x99s efforts to\nmake this transition. Nevertheless, we are concerned that some beneficiaries who have become\nvictims of identity theft have found that the criminals responsible used their personally\nidentifiable information to redirect their Social Security benefits to another financial account\nwithout their authorization.\nSSA offers beneficiaries several ways to make changes to direct deposit information: in person at\nan SSA field office, over the phone, via the Internet, or through the beneficiary\xe2\x80\x99s financial\ninstitution. In October 2011, the SSA Office of the Inspector General (OIG) began tracking\nallegations indicating that individuals\xe2\x80\x94other than the Social Security beneficiaries or their\nrepresentative payees\xe2\x80\x94had initiated potentially unauthorized changes to direct deposit\ninformation and redirected beneficiary payments to other accounts. As of August 31, 2012, my\noffice has received more than 19,000 reports from various sources concerning questionable\ndirect deposit changes to a beneficiary\xe2\x80\x99s record; we continue to receive about 50 such reports per\nday. These reports have involved either an unauthorized change to direct deposit information, or\na suspected attempt to make such a change.\nOIG Response\n\n\n\n1\n    The term \xe2\x80\x9cbeneficiary\xe2\x80\x9d refers to both Social Security beneficiaries and Supplement Security Income recipients.\n\n                                                           1\n\x0cMy office has responded to these reports by opening multiple investigations across the country.\nThus far, we have determined the suspects have predominantly targeted older citizens\xe2\x80\x99\npersonally identifiable information (PII) through various methods of social engineering, such as\ntelemarketing and lottery schemes, as well as through other sources. After obtaining the PII, the\nsuspects have used the information to initiate a direct deposit change and redirect a victim\xe2\x80\x99s\nbenefits to a fraudulent account.\nWe continue to encounter beneficiaries who have been victimized and severely affected by this\nscheme. For example, in August 2011, an 86-year-old beneficiary received a letter indicating he\nwon $3.5 million. The letter included a phone number and requested he provide some personal\ninformation so that he could collect his winnings; the man called the number and submitted some\nof his information.\nWithin days of the phone call, an unauthorized change was made to the man\xe2\x80\x99s direct deposit\ninformation with SSA. Soon after, the man did not receive his scheduled Social Security\npayment, so he contacted SSA, only to learn that his benefits were diverted to a different\naccount. He was issued a replacement payment, but the man reported that the ordeal caused two\nmonths of hardship, as he was forced to obtain a bank loan to pay his rent and for other living\nexpenses. Additionally, our audit work determined the man\xe2\x80\x99s payments were diverted a second\ntime; he was again issued a replacement payment.\nIn another unsettling example, a 68-year-old beneficiary\xe2\x80\x99s direct deposit information was\nchanged 13 times in an eight-month period, according to SSA\xe2\x80\x99s records. In this case, an\nindividual called the man and claimed to be an official from a well-known sweepstakes\ncompany; he said the man won $2.5 million, but the man needed to send money to the caller to\nreceive all of his winnings.\nThe beneficiary reported that he sent several thousand dollars to the caller through a financial\nservice company. He also reportedly sent $1,000 to the caller through two pre-paid debit cards.\nThe beneficiary provided his personal information to the caller during these transactions, and\nsubsequently, his direct deposit information was changed multiple times over the next several\nmonths, with his benefit payments redirected to at least six different pre-paid debit cards during\nthat time. Unauthorized account changes occurred several times throughout a payment cycle in\nan attempt to redirect his benefits.\nThe threat of identity theft and misuse of Government funds is evident, as unscrupulous\nindividuals continue to target some of our most vulnerable citizens. My office has partnered\nwith the Treasury OIG to investigate these schemes, some of which have roots in Jamaica but\nreach across the United States. Our special agents are also working with other Federal law\nenforcement agencies, such as the U.S. Postal Inspection Service and Immigration and Customs\nEnforcement, in ongoing investigations.\nAs part of our investigative efforts, our special agents, along with Treasury OIG, traveled to\nJamaica in June 2012, and met with U.S. officials regarding this matter. Our investigators\ncontinue to share information with U.S. law enforcement from the embassy in Jamaica.\n\n\n\n                                                 2\n\x0cWe are working with U.S. Attorneys Offices across the country, and State and local prosecutors,\nto bring charges against individuals perpetrating this fraud. We have executed search warrants,\nmade arrests, and worked with prosecutors to charge several individuals.\nFor example:\n   \xef\x83\x98 A U.S. citizen and a Jamaican National residing in St. Louis pleaded guilty to Federal\n     charges including identity theft and wire fraud. They reportedly targeted beneficiaries\n     throughout the country, deceiving the beneficiaries into sending them money through\n     wire transfers and pre-paid debit cards. The individuals allegedly sent the beneficiaries\xe2\x80\x99\n     money to another Jamaican National in Montego Bay, Jamaica. The suspect in Jamaica\n     faces similar charges, but has not been arrested.\n   \xef\x83\x98 In Florida, our special agents investigated several individuals who allegedly stole\n     victims\xe2\x80\x99 PII and redirected tax refund checks and Social Security benefits to pre-paid\n     debit cards. Two individuals were charged with identity theft and conspiracy to commit\n     wire fraud and mail fraud.\n   \xef\x83\x98 In New York, our special agents arrested a man who reportedly stole beneficiaries\xe2\x80\x99 PII\n     and redirected their payments to pre-paid debit cards. He reportedly used the cards to\n     make ATM withdrawals and pay for store purchases. He faces charges of identity theft\n     and grand larceny.\nReviews and Recommendations\nWhile investigating this fraudulent scheme on several fronts, we also initiated several reviews of\nSSA\xe2\x80\x99s controls over the processing of beneficiary direct deposit information.\nI mentioned that SSA offers beneficiaries several ways to change their personal and financial\nrecords; one of those ways is by calling the Agency\xe2\x80\x99s national 800-phone number, where trained\nSSA staff can process requests to initiate, change, or cancel a direct deposit plan.\nAs reports of attempts to make unauthorized changes to beneficiary accounts surfaced, SSA in\nNovember 2011 revised its policy for verifying the identities of individuals who request direct\ndeposit changes over the phone. The Agency also reminded staff how to properly process such\nrequests over the phone, especially if notations in SSA systems indicated a beneficiary\xe2\x80\x99s\ninformation was previously changed fraudulently.\nDespite this, our review of the Agency\xe2\x80\x99s controls over direct deposit routing-number changes by\nphone found that they were not fully effective. Accurately verifying an individual\xe2\x80\x99s identity over\nthe phone presents more challenges to SSA staff than a face-to-face verification in a field office;\nthus, the risk of fraudulent record changes increases when staff processes requests over the\nphone.\nSSA needs sufficient authentication controls in place to prevent the processing of potentially\nunauthorized changes to a beneficiary\xe2\x80\x99s direct deposit records. Confirming a beneficiary\xe2\x80\x99s PII\ndoes not guarantee the caller is the beneficiary; SSA has beneficiary-specific information in its\nsystems it could request for additional verification purposes.\n\n                                                 3\n\x0cIn another review, we have found that the Agency\xe2\x80\x99s controls over direct deposit account changes\nmade in SSA field offices were not fully effective. We found that SSA\xe2\x80\x99s procedures to redirect\nSocial Security payments required a lower level of identity verification than for other business\ntransactions. SSA should implement more robust identity verification procedures before\nprocessing account changes.\nBeneficiaries may also make direct deposit changes through automated enrollment with financial\ninstitutions; in Calendar Year 2011, this method accounted for a large number of account\nchanges, including initiating direct deposit. The financial institutions then forward the account\ninformation to SSA through the Treasury. However, we found several financial institutions\nprovided SSA unauthorized direct deposit changes through automated enrollment requests,\nwhich the Agency then processed. SSA has stated its systems are not designed to prevent\nprocessing unauthorized automated enrollment changes. Moreover, financial institutions\nperform identity verification at their own discretion; they themselves must implement reasonable\nprocedures to verify the identities of individuals who open new accounts. Because SSA relies on\nthe financial community for accurate and secure information, but is not directly involved with\nthe individual institutions, the Agency must work with the Treasury to improve banks and credit\nunions\xe2\x80\x99 identity verification controls for account changes.\nIn addition to what appeared to be unauthorized direct deposit changes using traditional bank\naccounts, we found that some financial institutions provided potentially fraudulent direct deposit\nchanges to prepaid debit cards. Beneficiaries can use any of SSA\xe2\x80\x99s direct deposit change\nmethods to redirect their benefits to a prepaid debit card. These cards are purchased at retailers\nor online. Financial institutions issue these cards through many different service providers. In\nAugust, a major pre-paid debit card vendor informed my office that it would add additional\nauthentication controls to its online Federal-payment enrollment process by the end of the year.\nThe Treasury should also consider the option of developing unique routing numbers for pre-paid\ndebit cards, as these cards are particularly tempting tools for benefit thieves.\nWe have also reviewed the Treasury\xe2\x80\x99s Direct Express debit card program. Direct Express is a\nlow-cost program, administered by Comerica Bank, which allows beneficiaries who do not have\na bank account to access their Federal benefit payments with a debit card.\nWe found that SSA could improve its controls over the enrollment and post-entitlement process\nfor beneficiaries in the Direct Express program. When Comerica initiates and verifies\nidentification for Direct Express enrollments with SSA, the Agency matches a limited amount of\nbeneficiary information against the Direct Express record to verify and approve the enrollment.\nSSA should work with the Treasury and Comerica to enhance identity verification for enrollment\nand incorporate SSA policies into the Direct Express program. For example, Direct Express\nshould not allow multiple beneficiaries to enroll on the same card without SSA\xe2\x80\x99s explicit\napproval; and debit cards should not be sent to foreign addresses if residency is a factor in\ncontinuing eligibility for benefits, as in the Supplemental Security Income program.\nWe are working on one additional report that will quantify the cost of replacing Social Security\nbenefit payments that were lost due to unauthorized direct deposit changes.\nSuggested Controls over Account Changes\n\n                                                4\n\x0cWe have done and continue to do significant audit work on this issue, but there are several\ncontrols the Agency could implement quickly to reduce fraudulent direct deposit changes:\n   1. Continue the planned implementation to block auto-enrollments for individuals who\n      express concerns about fraudulent attempts to change their direct deposit information\n      through auto-enrollment. SSA has reported to us they plan to implement an auto\n      enrollment \xe2\x80\x9cblock\xe2\x80\x9d in October 2012 .\n   2. Develop an automated notification system to alert beneficiaries of changes made to their\n      direct deposit information; for example, through an automatic e-mail, a text message, or a\n      notice mailed to both the old and new addresses on record when a caller requests and\n      SSA processes an address and direct deposit change at the same time.\n   3. Consider delaying direct deposit changes for a certain amount of time, instead of\n      implementing changes immediately after receiving a request for a change, to identify\n      potential overpayments before they are made.\nAdditionally, my office continues to urge all individuals, especially older beneficiaries, to take\nbasic preventive steps to protect their personal information from improper use. We urge\neveryone to be aware of the prevalence of phishing and lottery schemes\xe2\x80\x94no reputable financial\ninstitution or company will ask for upfront money in exchange for additional winnings; or for\npersonal information like a Social Security number or bank account number via phone, mail, or\nInternet. Moreover, when Social Security beneficiaries become aware that they are victims of\nidentity theft, they can block electronic access to their information in SSA\xe2\x80\x99s records, a service\navailable at www.socialsecurity.gov/blockaccess. By knowing how to protect ourselves, we\nmake life much more difficult for identity thieves.\nConclusion\nMy office has responded to this widespread fraud scheme with multiple investigations across the\ncountry and collaborations with other government and law enforcement agencies. We have\ninitiated a variety of audit reviews with several policy and authentication recommendations to\nSSA, the Treasury, and financial institutions. We have also increased our public outreach\nefforts, producing a YouTube public service announcement on protecting personal information,\nand publishing several OIG website articles and blog posts about fraudulent lottery schemes and\nguarding against identity theft.\nThe recent rash of fraudulent changes to Social Security beneficiary accounts is a serious issue\nfacing SSA, and the Agency must act swiftly to protect beneficiaries and taxpayer dollars. As\nalmost all Social Security beneficiaries will soon receive their payments electronically, SSA\nmust quickly implement policy changes and work with the Treasury, which has oversight of the\nfinancial community, to guard against identity thieves who will continue their attempts to\ndefraud SSA and its beneficiaries.\nWe will continue to provide information to your Subcommittee and Agency decision-makers as\nwe address this issue. Thank you again for the opportunity to speak with you today. I am happy\nto answer any questions.\n\n                                                 5\n\x0c'